I have a registry:2
deployed as pod in my kubernetes cluster (running on docker-for-win, WSL2). I have two services for this pod as shown below:
apiVersion: v1
kind: Service
metadata:
name: registry-external
spec:
type: NodePort
selector:
app: registry
ports:
- protocol: TCP
port: 5000
nodePort: 32020
---
apiVersion: v1
kind: Service
metadata:
name: registry
spec:
selector:
app: registry
ports:
- name: http
protocol: TCP
port: 2100
targetPort: 5000
So the first one for reaching the registry from outside the cluster (on port 32020, so I can docker login localhost:32020
on the host machine) and one for reaching the registry from the inside (on port 2100).
The login from outside works just fine. I've verified by nslookup registry
on the cluster, that the registry should be reachable on registry.default.svc.cluster.local
. So I created my image pull secrets with
{
"auths": {
"registry.default.svc.cluster.local:2100": {
"auth": "......"
},
...
}
When I try to deploy a pod with this image pull secret and image registry.default.svc.cluster.local:2100/animage:latest
it fails with
dial tcp: lookup registry.default.svc.cluster.local on 192.168.65.1:53: no such host
I'm puzzled by this: shouldn't the URL be valid at time of image pull?
The issue here is that the pull is executed in an environment where the kubernetes cluster DNS is not available, i.e. a cluster node, but not a cluster pod (in case of kubernetes on docker-for-win, it is executed on the same network as the host).
Since the registry is also exposed with a NodePort
service, it can be reached on the nodePort
port 32020 on localhost. Therefore, the image pull secret needs to be adjusted to
{
"auths": {
"localhost:32020": {
"auth": "......"
},
...
}
and the image to pull becomes localhost:32020/animage:latest
.